Changes

| For svcControlMemory the parameter check had these two flaws:

| For svcControlMemory the parameter check had these two flaws:

* The allowed range for addr0, addr1, size parameters depends on which MemoryOperation is being specified. The limitation for GSP heap was only checked if op=(u32)0x10003. By setting a random bit in op that has no meaning (like bit17?), op would instead be (u32)0x30003, and the range-check would be less strict and not accurate. This ''might'' have allowed any process to RW map for PA 0x14000000-0x28000000 using the LINEAR flag, and thereby RW access to entire kernel memory giving ARM11 kernel code-execution.

* The allowed range for addr0, addr1, size parameters depends on which MemoryOperation is being specified. The limitation for GSP heap was only checked if op=(u32)0x10003. By setting a random bit in op that has no meaning (like bit17?), op would instead be (u32)0x30003, and the range-check would be less strict and not accurate. However, the kernel doesn't actually use the input address for LINEAR memory-mapping at all besides the range-checks, so this isn't actually useful. This was fixed in the kernel by just checking for the LINEAR bit, instead of comparing the entire MemoryOperation value with 0x10003.

* Integer overflows on (addr0+size) are now checked that previously weren't(this also applies to most other address checks elsewhere in the kernel).

* Integer overflows on (addr0+size) are now checked that previously weren't(this also applies to most other address checks elsewhere in the kernel).